In the evolutionary process of ISO 9001:2015, there are many iterations. The CD or Committee Draft, the DIS or Draft International Standard, the FDIS of Final Draft International Standard are the stages that an ISO standard goes through on it’s path to becoming an International Standard. Let’s begin by using the definition of risk as “the degree of uncertainty on achievement of objectives” (COSO 2004). In the DIS, there was a definition for risk-based thinking. I have modified it a bit here:
Risk-based Thinking (aka RBT): “The activity of considering risk qualitatively and possibly quantitatively when planning, implementing and maintaining your quality management system.”
To break this down, RBT is an activity, a process. In this process you consider risk to achievement of your objectives (clinical, financial, operational, etc.). This consideration may generate a record (FMEA, meeting minutes, etc.). The risk consideration may be qualitative (that which can not likely be measured) or quantitative (that which can be measured). You make these considerations when planning, implementing and maintaining your QMS. Your QMS is a living breathing system, constantly changing in our complex healthcare environment, so RBT is an on-going process.
Annex A.4 in ISO 9001:2015 gives us more information about RBT. This Annex says that RBT is something that we often do subconsciously; it should be build into our governance and into our critical and complex processes. RBT incorporates preventive measures into our daily work. It should become an attribute of our hospital culture since everyone is responsible for risk.
Greg Hutchins, PE, CERM has defined RBT as “risk-based decision making” and “risk based problem solving”. We will always consider risk when determining corrective actions and when we make decisions. We decide, based on risk, before picking up a dirty needle. If we decide to pick up the needle, we decide to take measures so as not to harm others or ourselves. These definitions give RBT more contexts and allow us insight on how to implement RBT into our management system.
The National Integrated Accreditation for Healthcare Organizations (NIAHO®) includes risk in QM6.SR5c for Goal measurement/Prioritization of Activities to include “high risk, problem-prone….processes, functions and areas”. QM8SR2c states that we need “defined processes to reduce risk”. And a proposed Annex to NIAHO® is entitled “Safety Risk Management”. DNV-GL Healthcare incorporates risk into the NIAHO® standard in many areas, therefore risk-based thinking becomes a strong synergy to help us sustain our patient safety environment. This sustainable environment is made stronger when our process and risk integration is highly reliable.
Get familiar with RBT. Understand the integration of RBT with your current risk position from NIAHO. Neither ISO 9001 nor NIAHO® require a risk-management framework, such as ISO 31000. Take the time to understand RBT. Maximize it’s value to patient safety by integrating with your process management. Once you can maximize the value, consider an ISO 31000 based enterprise risk-management framework.
The success of RBT in hospitals is directly related to the commitment of leadership to the effective planning, implementation and maintenance of our management system. Leadership requirements in 2015 are now expanded. Objectives in the QMS are now required to integrate with strategic business objectives. This alignment should ensure that we now have one management system in our hospitals. This system should integrate, quality, risk, finance and operations into a single hospital management system. As committed healthcare providers, we want ensure confidence in our services. Our services are more reliable when our processes are in control and risk has been mitigated through effective risk-based thinking.